urelas | 8e735f9bbc68a415ae9496fc7e2f7c530e4fd3fd485f3ae0a6128188e6d1b192

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-07-2024 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e735f9bbc68a415ae9496fc7e2f7c530e4fd3fd485f3ae0a6128188e6d1b192.exe
Size

63KB
MD5

0ba209122941a9ef2346cd6ec6bae9fd
SHA1

0fe920efbb3934f3e4693b637f3f811d2b6d22af
SHA256

8e735f9bbc68a415ae9496fc7e2f7c530e4fd3fd485f3ae0a6128188e6d1b192
SHA512

e0ff4a1a73eb449c6bcfda4fed92c6fe8da990a300b348358ad3ea667161ffaa331e5891a50945e6ca064c42d100e7301a8a79afcba84505bb069dd0d95a16d9
SSDEEP

1536:6bQx5oPsr2vFxDPhAvzgAQzFZ77MzeTmq:6bQRSHpAvzyf7MzeTR

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2136 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

biudfw.exe

pid process

2560 biudfw.exe
Loads dropped DLL 1 IoCs

Processes:

8e735f9bbc68a415ae9496fc7e2f7c530e4fd3fd485f3ae0a6128188e6d1b192.exe

pid process

1960 8e735f9bbc68a415ae9496fc7e2f7c530e4fd3fd485f3ae0a6128188e6d1b192.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2136	cmd.exe

pid	process
2560	biudfw.exe

pid	process
1960	8e735f9bbc68a415ae9496fc7e2f7c530e4fd3fd485f3ae0a6128188e6d1b192.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

8e735f9bbc68a415ae9496fc7e2f7c530e4fd3fd485f3ae0a6128188e6d1b192.exe

description	pid	process	target process
PID 1960 wrote to memory of 2560	1960	8e735f9bbc68a415ae9496fc7e2f7c530e4fd3fd485f3ae0a6128188e6d1b192.exe	biudfw.exe
PID 1960 wrote to memory of 2560	1960	8e735f9bbc68a415ae9496fc7e2f7c530e4fd3fd485f3ae0a6128188e6d1b192.exe	biudfw.exe
PID 1960 wrote to memory of 2560	1960	8e735f9bbc68a415ae9496fc7e2f7c530e4fd3fd485f3ae0a6128188e6d1b192.exe	biudfw.exe
PID 1960 wrote to memory of 2560	1960	8e735f9bbc68a415ae9496fc7e2f7c530e4fd3fd485f3ae0a6128188e6d1b192.exe	biudfw.exe
PID 1960 wrote to memory of 2136	1960	8e735f9bbc68a415ae9496fc7e2f7c530e4fd3fd485f3ae0a6128188e6d1b192.exe	cmd.exe
PID 1960 wrote to memory of 2136	1960	8e735f9bbc68a415ae9496fc7e2f7c530e4fd3fd485f3ae0a6128188e6d1b192.exe	cmd.exe
PID 1960 wrote to memory of 2136	1960	8e735f9bbc68a415ae9496fc7e2f7c530e4fd3fd485f3ae0a6128188e6d1b192.exe	cmd.exe
PID 1960 wrote to memory of 2136	1960	8e735f9bbc68a415ae9496fc7e2f7c530e4fd3fd485f3ae0a6128188e6d1b192.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\8e735f9bbc68a415ae9496fc7e2f7c530e4fd3fd485f3ae0a6128188e6d1b192.exe
"C:\Users\Admin\AppData\Local\Temp\8e735f9bbc68a415ae9496fc7e2f7c530e4fd3fd485f3ae0a6128188e6d1b192.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960

C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
2⤵
- Executes dropped EXE
PID:2560

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
- Deletes itself
PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
efd90b3ac908d5482af367de3a82184a

SHA1
de9f01d2ed0247b7b347e55c5a09721a60147fb9

SHA256
44f3db1bb73bb207a88008ae28d0399f888b5714ccccb2056f4148b4455e693d

SHA512
6e3355f895af1d81887d5750033c5a139e4a0e1c2c928aeef1fd37f9c191e754b1f524d252c229ea5e744dbef4dd0a8240d9d3443651d42de198e82a197afb02

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
b51d9a37d51f19b0692f1091a2fce873

SHA1
2bd600b25c0aa97923c82959fc008674f067f9a6

SHA256
bcc17fccd57d27dafa2f21359d6c95f6bc6da892dce103de8fd0659d85ddb47f

SHA512
1bd56847e87ea906a7e6e91f3ee96849a5ea01b62626bb7abc3a16d18a66b1a59ba2f34a541be1f19556f07e3394081b2f5b2a9d4151abf1c538fd583775e064

Download Submit
\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
63KB

MD5
b9eea5101051e1f8a09ebee3148b1bf9

SHA1
186d35e89df53ea0ce4b49d91dcc9a0a89c688ae

SHA256
d5cbae5684ca03773661f8e54f2e880ebd3174f280d6ade3e939e63362b856b0

SHA512
83ab77390b3bbfcc059bc21707fbb7050d7f2c713d574a149213a6f46fee521c56f2ccf0db4792c45da82c08f6c38d2f7859828d49c956a500c4f0f2558c8ba3

Download Submit
memory/1960-0-0x0000000000F30000-0x0000000000F55000-memory.dmp

Filesize
148KB

Download
memory/1960-8-0x0000000000410000-0x0000000000435000-memory.dmp

Filesize
148KB

Download
memory/1960-19-0x0000000000F30000-0x0000000000F55000-memory.dmp

Filesize
148KB

Download
memory/2560-10-0x0000000000270000-0x0000000000295000-memory.dmp

Filesize
148KB

Download
memory/2560-22-0x0000000000270000-0x0000000000295000-memory.dmp

Filesize
148KB

Download
memory/2560-24-0x0000000000270000-0x0000000000295000-memory.dmp

Filesize
148KB

Download
memory/2560-31-0x0000000000270000-0x0000000000295000-memory.dmp

Filesize
148KB

Download